Month: July 2008

So what’s the difference?

Not much or a lot depending on your opinion. WPA uses TKIP for key management, whereas WPA2 uses AES-CCMP. Usually depending on how the AP has been set up, you can use either (TKIP or AES-CCMP) interchangeably, thus using WPA or WPA2 as needed. Many older devices like those running Windows Mobile 5, only support WPA with TKIP, while WPA2 is now required for Wi-Fi Alliance‘s “WiFi CERTIFIED” moniker.

This is a pretty rough overview, however in the end the general consensus is WPA2 is more secure due in part to it’s use of the government/industry preferred AES protocol for key protection. However WPA is probably sufficient for the vast majority of uses and is infinitely better than using WEP protocol. WEP really is only useful for keeping your average neighbor off your network – any mildly serious attacker will be able to compromise a WEP based wireless network.

As long as I’m on the subject, hiding your SSID is also basically a useless joke as there are so many tools to sniff them even when not set to “broadcast”. Either use WPA(2) or further encapsulate your traffic over a VPN connection. Still, in general as an extra layer of protection, you ought to disable “broadcast SSID“, though because of the way the protocol works the benefit is honestly nearly nil. Still, “layered security” is the way to go.

When researching using WPA on Ciscos I ran into a lot of useful URLs as resources. If you’re in the same bind, you may find them helpful too:

• http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
• http://articles.techrepublic.com.com/5100-1035-6148543.html
• http://articles.techrepublic.com.com/5100-1035-6148581.html
• http://i.t.com.com/i/tr/downloads/home/gou_secure-wireless-guide.pdf
• http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml
• http://www.ccitraining.net/courses/cwls.shtml
• http://projectdream.org/publications/windows/eap-peap-cisco-windows-2003.html
• http://www.networkcomputing.com/1409/1409ws13.html
• http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008024aa4f.shtml
• http://cio.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/ap11icg/ivicgaut.htm
• http://www.networkworld.com/research/2002/0506whatisit.html
• http://tldp.org/HOWTO/html_single/8021X-HOWTO
• http://en.wikipedia.org/wiki/IEEE_802.1Q
• http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15vlan.html
• http://hardware.mcse.ms/archive80-2005-8-223677.html
• http://www.cisco.com/univercd/cc/td/doc/product/access/mar_3200/wlsnotes/cfwlsmod.htm
• http://www.cisco.com/univercd/cc/td/doc/solution/mblacrdg.pdf
• http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800a7af6.shtml
• http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wrsec_an.htm

Not a pretty list, but still good to put somewhere!

If you’re investigating things like enterprise WPA and/or NAC based network control you’ll probably run into the fact that it uses 802.1x protocol. So what is 802.1x?

Basically the long and short of it is IEEE 802.1x is just a protocol to pass EAP over wired/wireless LANs. EAP on the other hand is just a protocol to take the AP/RAS/switch/router out of the stream of authentication. It is a way of tunneling the authentication request to a Radius server and let the two figure out the authentication without the AP/RAS/switch/router having to handle it.

A good primer on the subject is here:

http://www.networkworld.com/research/2002/0506whatisit.html

Incidentally the user unfriendly term “supplicant” will often come up. Much as it sounds like something fancy, it isn’t. In most regards it just means the client you’re trying to connect to the network, however more officially it’s the process(es) on the client taking care of the 802.1x authentication. The client runs the supplicant to authenticate, to quote:

The wireless node that requests authentication is often called Supplicant, although it is more correct to say that the wireless node contains a Supplicant. The Supplicant is responsible for responding to Authenticator data that will establish its credentials. The same goes for the access point; the Authenticator is not the access point. Rather, the access point contains an Authenticator. The Authenticator does not even need to be in the access point; it can be an external component.

So ultimately the “supplicant” is really a program running on the client. Also see:

http://tldp.org/HOWTO/html_single/8021X-HOWTO

which also is a useful document.

As a final note, often the EAP passed in the 802.1x conversation is encapsulated in what’s called “PEAP” (yes, all of the acronyms are a pain!). Essentially PEAP is a public key based method of encrypting the EAP payload via SSL/TLS, thus protecting the authentication from prying eyes.

If you must use WPA-PSK (meaning WPA with a pre-shared key, rather than WPA using 802.1x authentication via Radius), make sure your key is sufficiently long. Ideally 20 characters or more.

To quote:

Robert Moskowitz’s article, “Weakness in Passphrase Choice in WPA Interface,” describes a theoretical attack on WPA passwords. The tools WPA-psk-bf, CoWPAtty and WEP Crack are implementations of this attack and have demonstrated the ability to break WPA-PSK keys that are 20 characters or fewer. The Aircrack tool suite operates in an active or passive mode to gather the data required to launch these attacks. In passive mode, the Aircrack tools capture the four-packet authentication handshake between an AP and client. The handshake is then processed through a WPA breaking tool for an offline brute-force attack. If the attacker has not captured the handshake, the Aircrack tools active mode will force a disassociation and reassociation.

For more see this article:

http://www.chips.navy.mil/archives/05_jul/web%20pages/Wireless_networks.htm

which gives a fairly comprehensive overview of the challenges here.